Hackers Can Remotely Set Ablaze HP Printers, Researchers Say

A security vulnerability discovered in Hewlett-Packard printers would allow hackers to steal data from the printers, cause them to burst in flames or be used as a launchpad to attack other computers connected to the printers.

Each time the printer accepts a print job from a computer, it examines the job for any software updates that might be included in the request. Because the HP firmware doesn’t require a digital signature to verify that an upgrade is authentic, attackers can send specially crafted files to the printer that contain malicious code. They can do so remotely if the computer is configured to print jobs sent to it over the internet.

The researchers, conducting a quick scan of the internet, were able to find 40,000 devices connected to the internet that they said could be quickly infected in this way.

The research was conducted by the computer science department of Columbia University’s School of Engineering and Applied Science, under grants from government and industry.

Researchers Salvatore Stolfo and Ang Cui showed MSNBC how attackers could use the flaw to control a printer’s fuser – which dries the printer ink once it’s applied to a piece of paper – causing it to heat up continuously until paper inside the printer turned brown and began to smoke. A thermal switch shut the printer down before the paper caught fire, but the researchers told MSNBC that other printers might indeed be used to launch fires.

The academics gave a private briefing about the flaws to federal agencies two weeks ago, and also notified Hewlett-Packard, but they say there’s no easy fix for the vulnerability.

“If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective. Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different,” Cui told MSNBC. “This is nothing like fixing a virus on your PC.”

HP has disputed some of the researchers’ claims, saying that the hack would be difficult to execute. The company also said that HP LaserJet printers produced since 2009 do require digital signatures to verify firmware upgrades. HP has sold 100 million LaserJet printers since 1984, but the company said that most home users have InkJet printers – not LaserJet printers – that do not permit remote firmware upgrade and therefore would not be vulnerable to this.